KR20210110597A - Digital Identity Management Device - Google Patents

Abstract

Identification Management Devices and Identification Management Systems. The apparatus includes a processor operatively coupled to a memory, a display, and a communication interface. The device may store instructions, wherein the instructions, when executed by the processor, cause the process to receive, through the communication interface, from a user interface at least one identification record comprising identification data capable of being visually delineated; Update the display and a user device interface configured to store in the memory to implement a user interface configured to display the visually descriptive identification data. The identification record contains authentication data. The authentication data may be displayed on the device or transmitted securely.

Description

Identification Management Device

Embodiments of the present invention generally relate to the field of data storage and transmission, and more particularly to apparatus and methods for management of identification and authentication information.

A person or user is typically associated with multiple roles or people across various networks and organizations. Each of these identities may also change over time as a user moves between roles, changes a name, or leaves or joins an organization. By managing each of these identities, users gain authenticated access to secure systems or data, as well as interact with others.

Traditional methods of exchanging identity information can be costly for the user as well as the recipient of the information. For many interactions where identification information is shared to enhance the interaction, individuals can incur substantial opportunity costs in terms of time, lost resources, available transmission capacity, and quality of the interaction.

One example is the interaction between individuals in a professional setting, where contact information is ideally distributed so that the recipient has tangible access to the identity of the host. Traditionally, this function is accomplished by the distribution of business cards. However, even when individuals can accurately predict the role and target for which they wish to provide identity information, business cards have limited delivery capacity. Because of this limited delivery capacity, the user may provide lower-quality interactions, such as when the number of possible interactions is greater than the number of actual recognizable attestations, by providing additional interactions, or less effectively and less memorably.

To further elaborate the above example, consider the situation where the first individual 'person 1' is the host of a meeting or other function that requires an expert recognition certificate or introduction via a business card. An action can be considered a high-quality interaction, for reasons of holding, a person (1 may be limited to holding n cards).

During the meeting, person 1 can be successful with high-quality interactions with n individuals by giving each person a card. However, for the (n+1)th interaction, person 1 has no business card to offer, so These low-quality interactions will either return to more processes of exchanging information (such as entering email addresses or phone numbers), use less effective methods of exchanging recognition information, or Even successful high-quality interactions can incur significant costs in terms of time, due to the fact that they have to sequentially introduce and distribute their credentials to n people.

Each participant holds another's business card, additionally having limited holding capacity. If the carrying capacity for another business card of person 1 is n, person 1 may need to reject the (n+1)th card to be presented later from the interaction.

In addition to contact information, users are specifically required to retain or manage other forms of identification, such as physical and electronic forms. For example, users may need to manage driver's licenses, security badges or other identification cards, one-time password generators for multi-factor authentication, and the like. Similarly, users have multiple identities with different login credentials throughout the system. The problem can be multiplied for users who have authenticated access to the system in multiple organizations. Generally, each organization to which a user has physical access will issue a badge, key card, or other device intended to be reviewed or scanned upon access to the facility. Therefore, those users need to have a significant stack of physical credentials to access facilities and systems on a daily basis.

Although a number of identification management techniques are known, these techniques cannot alleviate the problems posed by the need to securely store and transmit identification information. From a contact management perspective, while an individual can create multiple business cards, cards for each different organization and role must be managed and physically distributed. Similarly, contact management software applications exist, but they require the sender and receiver to use similar or compatible technologies to facilitate the exchange.

Security and authentication are also additional issues to existing systems. While password managers can easily remove recalls and the burden of entering different login credentials, such a system cannot provide a second element of authentication, such as a one-time password. Furthermore, the use of password manager and authenticator applications creates the risk of unauthorized access to sensitive data.

Embodiments of the present invention provide identification management devices, systems, and methods for improving identification management techniques by providing identification records to secure and portable storage to include contact information and security information.

An embodiment of the present invention includes an identification management device, the identification management device comprising a processor operatively coupled to a memory, a display and a communication interface, and an instruction, wherein the instruction, when executed by the processor, causes the process to updating the display and a user device interface configured to receive from a user interface via the communication interface and store in the memory at least one identification record comprising visually delineable identification data, the visually depictable Implement a user interface configured to display identifying data that can be

In embodiments, the identification management device further comprises at least one user input sensor operatively coupled to the processor. The user input sensor may include a push button switch.

In embodiments, the user interface, upon receiving an indication of user input from the user input sensor, causes a display to switch between displaying the identification data in a first user readable format and a second machine readable format. It is further provided for toggling. The machine readable format may be a one-dimensional barcode, a two-dimensional barcode, and a copy protection hologram.

In embodiments, the communication interface is configured to encrypt outgoing communications and decrypt incoming communications.

In embodiments, the identification record may further include an authentication data element.

In embodiments, the user interface may be configured to update the display to present the authentication data element upon receiving an indication of a user input from the user input sensor.

In embodiments, the instruction may further cause the processor to operate an authentication manager to transmit the authentication data element to an external device via the communication interface.

In embodiments, the identification management device further comprises a radio frequency generator operatively coupled to the processor, wherein the instruction indicates that the processor transmits a radio frequency signal based on the authentication data via the radio frequency generator. You can run the authentication manager to make it happen.

In embodiments, the instruction is configured to cause the processor to transmit at least one identification record to a receiving device via the communication interface, and to receive one or more identification records from a transmitting device via the communication interface. You can make the ID sharing interface work.

In embodiments, the communication interface is a Bluetooth (BLUETOOTH) interface, a Wi-Fi (WI-FI) interface or Near Field Communications; NFC) may include at least one of the interfaces. In embodiments, the display may include an electronic paper display.

In embodiments, an identification management system includes an identification management device and a user device, the user device comprising at least one user device processor and at least one user device memory, the user device comprising the identification management device a user interface communicatively coupled to a communication interface of a device, wherein the user device memory is configured to: when the user device processor is executed according to a user device instruction, the user device processor receives identification data from a user and generates an identification record stored to implement

In embodiments, the user device instruction may cause the user device processor to implement an identification management device interface configured to send an identification record to the identification management device. In embodiments, the identification management device interface may be configured to encrypt the identification record before transmission to the identification management device.

In embodiments, an identification management method for controlling user access to a security source includes, in a security system, receiving authentication data including a certificate based on a private key from an identification management device, and from the user by the security system requesting a private key code, receiving the private key code provided from a user, extracting, by the security system, an identifier of the user from the private key to determine whether the provided private key code matches the private key; , generate an error if it is determined that the provided private key code does not match the private key, and if it is determined that the provided private key code matches the private key, send the user to the security system based on the extracted identifier of the user. determine whether the user is authorized to access the security system, and if the user is authorized to access the security system, grant the user access to the security system.

In embodiments, the authentication manager may be arranged to provide the authentication data to the security system by way of at least one of a wireless signal or a machine readable display of authentication data.

In embodiments, the provided private key code may be a personal identification number. The security system may be a computing resource or a physical environment.

When the security system is a physical environment, granting user access to the security system may include allowing the user to access the physical environment.

In embodiments, an identification management method includes receiving a data element of an identification record comprising visually delineable identification data at a user device, receiving a connection request to an identification management device, and connecting to the identification management device , transmitting identification data from the user device to the identification management device, and displaying the visually delineable identification data on the identification management device.

In embodiments, the identification management method receives, from a first user of a first identification management device, a selection of an identification record stored in a memory of the identification management device, and, in the first identification management device, from the first user Receive an instruction to transmit the identification record, receive an instruction to receive an identification record from a second user of a second identification management device, and receive an instruction to receive an identification record from the first identification management device to a second identification management device of the identification record transmitting at least a portion, and storing, in the second identification management device, at least a portion of the identification record in a memory of the second identification management device.

In embodiments, at least a portion of the identification record may include public display data of the identification record, and at least a portion of the identification record may not include personal authentication data of the identification record.

In embodiments, the method includes receiving, at a user device associated with the second user, a request to synchronize with the second identification management device, and transferring the at least a portion of the at least part from the second identification management device to the user device. The method may further include transmitting identification data.

In embodiments, the identification management method includes, in a first identification management device, receiving, from a first user, a selection of an identification record stored in a memory of the identification management device, and in the first identification management device, from the first user receive an instruction to transmit identification data; receive, at a first user device associated with the first user, a request to broadcast the identification record; receive, at one or more other user devices, notification of available identification data; , receiving, at at least one of the one or more user devices, an identification record.

In embodiments, the method may include, prior to receiving the identification record, requesting authorization associated with each of the one or more user devices to receive the identification record.

In embodiments, identification data may be transmitted from the first user device to one or more other user devices via a direct wireless connection. The connection is directed to another user device. In embodiments, the identification data may be transmitted from the first user device to an identification management system. Identification data from the identification management system may be transmitted to each of one or more other user devices.

The above summary is not intended to describe each described embodiment or every application of features of the present invention. The drawings and description set forth below are illustrative of a plurality of embodiments.

The main content of the present specification may be more fully understood in consideration of the following detailed description of various embodiments with reference to the following drawings.

1 is a schematic diagram illustrating components of an identification management apparatus according to an embodiment.
2A is a plan view illustrating an identification management apparatus according to an exemplary embodiment.
2B is a perspective view illustrating an identification management apparatus according to an exemplary embodiment.
2C is a perspective view illustrating an identification management apparatus according to an embodiment.
3 is a schematic diagram illustrating a configuration of an identification record according to an embodiment.
4 is a schematic diagram illustrating a sample identification record according to an embodiment.
5A is a plan view illustrating a screen of an identification management apparatus according to an exemplary embodiment.
5B is a plan view illustrating a screen of an identification management apparatus according to an exemplary embodiment.
5C is a plan view illustrating a screen of an identification management apparatus according to an exemplary embodiment.
6 is a schematic diagram illustrating an identification record data flow according to an embodiment.
7 is a schematic diagram illustrating an ID management application according to an embodiment.
8A-8G are mock-up diagrams illustrating screens of an ID management application according to an embodiment.
9 is a flowchart illustrating a method for transmitting data to an identification management apparatus according to an embodiment.
10 is a flowchart illustrating a method for transmitting data between identification management devices according to an embodiment.
11A and 11B are plan views illustrating a screen of an identification management apparatus according to an exemplary embodiment.
12 is a schematic diagram illustrating an ID record data flow according to an embodiment.
13 is a flowchart illustrating a method for transmitting identification data according to an embodiment.
14 is a schematic diagram illustrating an identification management system according to an embodiment.
15 is a flowchart illustrating a method access control according to an embodiment.
While various embodiments are susceptible to various modifications and alternative forms, the details thereof are set forth in detail, for example, in the drawings. It should be understood, however, that the intent is not to limit the claimed invention to the specific embodiments described. To the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the subject matter as defined in the claims.

Embodiments relate to systems and methods for identity management comprising an identity management device that combines the functions of a secure identity database, a secure transmitter, and an identifying information display into a single protection type.

1 is a schematic diagram illustrating components of an identification management apparatus according to an embodiment. The identification management device 100 may include a processor 102 , a memory 104 , a power supply 106 , a display 108 , a communication interface 110 , and a user control 120 . Components of the identification management device 100 may be operatively coupled via a bus or other mechanism known in the art (not shown).

Processor 102 may include one or more microprocessors or central processing units (CPUs) configured to carry out instructions of a computer program. Identity management device 100 may include volatile memory, while memory 104 includes non-volatile memory, such as flash memory, configured to provide data storage for various records and data elements as discussed herein. . The power supply 106 may include a rechargeable internal power source, such as a battery, and/or an external power source, which may be provided through one or more external ports, such as a universal serial bus (USB) port. In embodiments, the power supply 106 may support charging an internal battery via an external port, or induction or other wireless charging technology.

The display 108 may include a liquid crystal display (LCD), cathode ray tube (CRT), electronic ink (also known as E-ink) display. Display 108 may generate black and white, gray scale, or color images.

Referring back to FIG. 1 , the communication interface 110 of the identification management device 100 is a wired connection (via a universal serial bus (USB), serial (RS-232), parallel, or other port (not shown)) at least one physical communication mechanism or wireless connection (Wi-Fi, Bluetooth, Bluetooth Low Energy, ZIGBEE, Z-WAVE, Near Field Communication (NFC; ECMA-340 and ISO/IEC) (18092 standard, or other wireless connection standards or The communication interface 110 may provide one or more logical interfaces, such as an interface 114 between a user device interface 112 and an identity management device (IMD). may be operatively coupled to an external device via one or more communication mechanisms provided by 110. User interface 124 may allow a user to process input from 120 and provide output to display 108. have.

2A, 2B, and 2C illustrate an appearance of an identification management apparatus according to an exemplary embodiment. User controls 120 may reside on, through, or within housing 122 . User control 120 may be a switch, button, touch screen control, or any other control that allows a user to provide input to identification management device 100 . 2A-2C, the user control 120 includes a left button 120a, a right button 120b, and a lower button 120c. In one embodiment, each button ( 120a - 120c may include tactile momentary unipolar single-projection switches In one embodiment, left button 120a may enable the user to page or flip between identification records or views. The right button 120b allows the user to trigger data sharing communication, and the lower button 120c can be used to toggle the identification management device 100 from an ON state to an OFF state.

In one embodiment, fewer user controls 120 may be provided. For example, in one embodiment, the user includes an optical sensor such as a camera, fingerprint scanner, or other sensor capable of detecting the user's biometric data. In one embodiment, user control 120 may include one or more external ports for connecting a keyboard or other user interface device. In another embodiment, the user controls 120 may include an accelerometer so that the orientation and movement of the identification management device 100 can be detected.

The housing 122 may be a case surrounding the internal components of the identification management device 100 . The housing 122 may include at least one material, which may be plastic, metal, wood, or other non-deformable material. The housing 122 may include at least one layer of waterproof material. Housing 122 may have a range of dimensions, in embodiments, housing 122 may be about (2.75 inches or 70 mm high, about 4 inches or (100 mm wide) and about (1/4 inch or It may have a depth of 6.35 mm.This specification may support other sizes through zooming, scaling, cropping, or other operations, but allows the display 108 to display an image of a standard credit card, business card, or security identification card. Allows depiction without expansion or cropping (in a 1:1 scale ratio). As shown in Figure 2a, display 108 may show identification record 200, which will be described in greater detail below. have.

3 is a schematic diagram illustrating a data configuration of an identification record 200 that may be stored in a memory 104 according to an embodiment. The identification record 200 may include both public and secure data elements. The identification record 200 may include an ID (ID) 202 corresponding to a globally unique identifier, serial number, or other data element that uniquely identifies the identification record 200. Display data ( 204 may include at least one image for depiction on display 108 in association with the identification record 200. The image data may include, for example, a portable network graphic (PNG), a scalable vector graphic. (SVG), tagged image file format (TIFF or TIF), etc. in vector or raster format (which may contain two-dimensional image data). Said image data may additionally contain graphic interchange format (GIF), WebM, Matroska (mkv), etc. , or other formats for time-series images, such as video or animated images In one embodiment, the image data may include a three-dimensional image or video format for depiction on a holographic display.

Display data 204 may further include renderable data for depiction on display 108 . For example, display data 204 may include text data (such as raw text, or HTML), and/or equations, scripts, and other instructions for calculating the image for display. Display data 204 may further include a plurality of individual data elements associated with identification record 200 . These data elements may include contact information such as name, organization, phone number, email address, and the like.

The identification record 200 may additionally include authentication data 206 , which may include information to be electronically transmitted to at least one external device through the communication interface 110 . Authentication data 206 may include a user name, password, personal identification number (PIN), secret key, or other authentication data that facilitates access control. The authentication data 206 may correspond to data secured within the identification record 200 such that the authentication data 206 is not displayed or transmitted without user authentication and authorization.

In one embodiment, the display data 204 may be generated based on the authentication data 206 . For example, the authentication data 206 may be based on a hash-based message authentication code (HMAC) so that the identification management device 100 may indicate a one-time password to facilitate a multi-factor authentication scheme. It may include a secret key for generation of a one-time password (HOTP). Authentication data may further include secret keys or other information for rendering (one-dimensional barcodes, (two-dimensional, such as QR CODE codes), or other images optimized for computer scanning and/or machine readable properties). In embodiments, the display data based on the authentication data may correspond to data secured in the identification record 200 .

The attestation data 208 may include a public key, a challenge response protocol, or other requirements that may be used to ensure that an external device requesting the authentication data 206 is authorized to receive the authentication data 206 .

The security requirements 210 may include data, flags, or other instructions regarding any security protocol to be enforced by the authentication manager 126 prior to displaying or transmitting the data within each identification record 200 . may include. For example, in one embodiment, the security requirement 210 may require proof of user identity prior to displaying security data, such as a matrix barcode associated with the identity. Proof of user identity may be provided through a fingerprint scanner, facial recognition, input of a code or sequence through user control 120 , authentication from a pair of user devices, or other methods. The authentication manager 126 may verify that the credential data 208 is provided and that the security requirements 210 are met prior to enabling the display or transmission of data elements in the identification record 200 .

In various embodiments, the identification record 200 may include data elements that may be substituted for or in addition to those depicted and described herein. In embodiments, all or part of the identification record 200 may include data in a virtual contact file (VCF, or vCard) format. In embodiments, the identification record 200 may be converted to a virtual contact file, or other standard format, prior to transmission.

4 is a table view showing a number of identification records that may be stored in memory 104 . While the table of FIG. 4 is depicted in grid format for purposes of this embodiment, memory 104 may store identification record 200 in any data storage format. For example, memory 104 may include a relational database, a non-relational database, a flat text file, a binary file, or any combination. As shown in Figure 4, the display data 204 for each identification record 200 includes a main display and an authentication display, which will be displayed after any security requirements 210 have been met by the user. can For example, as indicated in the above record with ID 202a, only the main display is provided. This identification record is an example of a record dedicated to contact information. No security or authentication data 206 is provided, and no authenticated display is required.

For ID 202b, as indicated in the record, a fingerprint scan is required by security requirements 210 before the QR code is displayed. In this case, the QR code is generated based on the authentication data 206 and reads "batterystaple". For ID 202c, no security requirements are provided, so a username and password are provided on the authentication display. For identity 202d, security requirements 210 require a face scan, and authentication data 208 is a public key infrastructure (PKI) to be verified before the string provided in attestation data 206 is transmitted. ) requires an authentication key.Therefore, each identification record 200 includes a different identity and security element to record, thereby enabling different layers or security levels for each identification record 200 with different identities and security. elements can be recorded.

Identification record 200 may be stored in a fully or partially encrypted format (data-at-a-time encryption). The decryption key may be provided by a user input through the control 120 through a connection to an external device, or may be stored in a separate hardware or software component of the identification management device 100 . In embodiments, each identification record 200 may have a separate decryption key, for example, based on the security requirement 210. The identification record 200 may include the identification management device 100 (during data transmission). encryption) prior to transmission or further encrypted from the identification management device 100. Encryption at rest and transmission may be performed by any encryption scheme known in the art of the identification record 200.

5A-5C illustrate a series of screens that may be displayed on display 108 to provide both a main display and an authenticated data display. As shown in FIG. 5A , a main display of display data 204 is provided. When the user provides an input by, for example, actuating the right button 120b, the screen shown in FIG. 5B may be displayed. The screen of FIG. 5B corresponds to a fingerprint scanner and may request to provide a fingerprint input to the user control 120d. If the provided fingerprint matches the security requirements 210 for the associated identification record 200 , the QR code may be displayed as indicated in FIG. 5C . The authentication data 206 may further be provided on the display 108 with login credentials, such as a user name or password.

In one embodiment, the authentication data 206 may be output via a radio frequency (RF) output 116 (RF Output). RF output 116 may include one or more oscillators, filters and/or other components driven by processor 102 to generate a desired RF signal. The RFID parameters may be stored as authentication data 206 . The RF signal may be generated to respond to an active or passive RFID (RF ID) scanner in response to a security challenge. By displaying a machine readable authentication code via the display 108 or generating an RFID output via the RF output 116 , the identification management device 100 may duplicate or replace one or more secure identification badges or tags.

As shown in FIG. 6 , user device interface 112 allows identification management device 100 (labeled herein, identification management device 100a ) to connect to or pair with one or more user devices 300 . do. User device 300 may include a laptop or desktop computer, a mobile device such as a smart phone, or other computing device such as a tablet, smart watch, and the like. The user device interface 112 may be configured to receive the identification record 200 from the user device 300 , to transmit the identification record 200 to the user device 300 , to transmit or propagate the identification record 200 , and/or to request security. It may enable authentication credentials to satisfy the requirements of item 210 . The IMD interface 114 connects the first identification management apparatus 100a to the second identification management apparatus 100b. It allows all or part of the identification record 200 to be shared. In embodiments, sharing of the entire identification record 200, including confidential data, may allow appropriate authentication and authentication controls to be provided, while uniquely contact information may be shared by default.

7 is a schematic diagram illustrating the components of an identity management application 302 that is provided for executing computing hardware of a user device 300 . For the purposes of the present invention, user device 300 is used interchangeably with identity management application 302 . The application 302 may include a data store 304 for storing, in the memory of the user device 300 , one or more identification records, in addition to data associated with the paired identification management device 100 .

User interface 306 includes a screen that can be displayed on a display of user device 300 and controls (touch screen, graphical user interface (GUI), or command line entry user interface element that allow for receiving input from a user). ) may be included. User interface 306 receives user input and provides user output as provided by application 302 . The user interface 306 may include a mobile application, a web-based application, or any other executable application framework. User interface 306 may be embedded, provided, or accessed with respect to any computing device capable of communicating with user device 300 , receiving user input, and presenting output to a user.

The application 302 may further include a communication interface 310, which provides an IMD interface 312 and an API interface 314 using a connection mechanism provided by the user device 300. Figures 8a-8b shows a screen of an application 302 that may be displayed on a cellular phone user device 300 in accordance with one embodiment. The screens of Figures 8A-8B are discussed in detail below.

Figure 9 is a flow chart illustrating a method 1000 for loading an identification record 200 into a memory 104 via a user device 300. At 1002, the application 302 is shown in Figures 8A-8. provide a screen as shown to guide the user's input of the identification record In the exemplary screen shown in Fig. 8a, the user selects to search for a restaurant (Browse Idenities), the screen as shown in Fig. 8b You can choose to add a new Identity to

As shown in FIG. 8C , the application allows the user to take a picture or capture identity information through manual input. In embodiments, other input methods may be supported, such as selecting an image that already exists in memory, voice input, or the like. The application 302 allows the user to use the camera function of the user device 300 to take a picture containing identity information including, for example, the front and back of a business card. In embodiments, the application 302 may perform optical character recognition (OCR) to detect the text in the image and present the detected text to the user for confirmation in FIG. 8D . In embodiments, machine learning techniques may be used to train a model to detect text data in a business card-type format, as well as determine the most likely field associated with each detected text item. do. As shown in 8d, the user may be requested for authentication data 206, such as a username or password, which may not be written on the physical identification card. In embodiments, authentication data 206 may be provided by capturing an image (eg, scanning a matrix barcode associated with a multi-factor authentication scheme), and FIG. 8E illustrates a view of multiple identification records 200 . Display data 204 represents a screen of application 302 that can be shown to the user.

Returning to FIG. 9 , at 1004 , the application 302 allows the user to request synchronization from the identification management device 100 . If, at 1006, no device is detected within the range of the IMD interface 312, the user connects to the identification management device 100 through the display of the screen as shown in FIG. 8G at 1008 or may be requested to pair. The range of the IMD interface 312 may be determined based on a communication protocol supported by the user device 300 and the identification management device 100 . For example, the NFC communication range may be about 4 centimeters, while the Bluetooth range may reach about 77 meters.

After the connection is made, at 1010, the identification record may be transmitted from the user device to the identification management device 100 for storage in the memory 104. The identification record 200 may be encrypted in transmission or implemented In an example, it may be transmitted via plaintext.

At 1012 , the identification record 200 may be displayed on the display 108 for verification on the identification management device 100 . While method 1000 ) is described with respect to a single identification record 200 , it should be appreciated that synchronization may include the transmission of a plurality of identification records 200 of the identification management device 100 .

Embodiments of the present invention provide another method of generating an identification record 200 for transmission to the identification management device 100 . For example, the identification record 200 or a portion thereof is created by a credentialing organization, such as a government entity or organization. The identification record 200 may be transmitted to the user device 300 via a network connection or any other means of data transmission. The application 302 may access the identification record 200 selected by the user, for example, by opening a file residing on the user device 300 or accessing the system using the login credentials provided by the user. can The retrieved identification record 200 may be transmitted to the identification management apparatus 100 as necessary. Thus, instead of printing and distributing a physical identification card, embodiments may digitally generate a credential, such as a driver's license or security access card, digitally and send it electronically to the user.

10 illustrates a method for transmitting contact information from an identification record 200 between a first identification management device (IMD 100a) and a second identification management device (IMD 100b) and onto a user device 300b, according to an embodiment. (2000) is a flowchart for explaining. This method enables the identification management device 100a to effectively functionalize the electronic business card.

At 2002, the first user, User A, may select the identification record 200 on IMD 100a. Referring to FIG. 11A , the identification record 200 is made available in the memory 104 by, for example, repeatedly actuating the left button 120a (as shown in FIG. 11A ). can be scrolled or flipped. At 2004 , user A may instruct IMD 100a to share some or all of the display data 204 of the selected identification record 200 by actuating the right button 120b in the illustrated embodiment.

At 2006, user B may instruct IMD 100b to receive data. In an embodiment, the identification management apparatus 100 may provide a mechanism for automatically entering the reception mode when the power is turned on, or for the user control 120 to enter the reception mode. For example, the reception mode may be activated by pressing the right button 120b for a preset period of time. In 2008, the identification record 200 is provided to the IMD 100a through each IMD interface 114 or each scene management device. may be transmitted to the IMD 100b.

At 2010, user B may request user device 300b to perform synchronization with IMD B. In 2012, the identification record 200 may be transmitted to user device B after pairing and connection similar to that described above with reference to FIG. 9 .

As will be appreciated, method 2000 is one method of transmitting contact information to users via users of one or more identification management devices 100 . For example, in an embodiment, IMD 100a may be a matrix barcode, or other machine reading of display data 204 , that may be input to application 302b on user device 300b via a camera or other optical sensor. Possible rendering can be provided. For example, FIG. 11B illustrates a machine readable matrix barcode based on the contact information depicted in FIG. 11 in human readable form. IMD 100a may also present a business card-type screen of display data 204 that may be loaded into application 302b on user device 300b via a process similar to method 1000 above. Similarly, in embodiments, contact information may be shared directly via user devices 300a and 300b by display and capture of display data 204 . An example of such a data flow is illustrated in the schematic diagram of FIG. 12 .

13 is a flowchart illustrating a method 3000 of using the user device 300 to extend the propagation range of the identification management device 100 . At 3002 , a user may instruct one or more users to propagate the identity management device 100 , for example by activating one or more user controls 120 . At 3004 , the identification management device 100 may transmit a propagation command including the identification record 200 to the user device 300 . The application 302 may provide a radio or narrowcast transmission using the wireless transmission capability provided by the communication interface 310 via, for example, WiFi or BLUETOOTH. Another user device 300 running the application 302 or other compatible software may connect and provide an app-directed push notification by receiving the request. In one embodiment, the application 302 may provide a sikryeol record 200 through API 500 for distribution via e-mail, or receive text messages on user devices that do not have a compatible application installed.

At 3006 , the push notification may be delivered to one or more computing devices associated with the other user. Push notifications may be presented via application 302 or via text or other messages. At 3008 , if the other user accepts the notification, at 3010 the information may be sent from the user device 300 , otherwise the interaction may end. At 3012 , if the computing device includes a compatible application 302 , the identification record 200 may be transmitted to a second identification management apparatus. Through execution of method 3000 , the user retains the ability to accept or reject incoming transmissions. If the user accepts, the connection between the transmitting external source and the receiving electronic device may be established and the information may be input to the receiving electronic device.

14 is a schematic diagram illustrating the identification management system 10, ie, a plurality of identification management devices 100 and user devices 300 (although only one identification management device 100 and user devices 300) indicated) may be included. System 10 may additionally include one or more security systems 400 , such as networks, institutions, buildings, files, digital rights or other systems, data stores, and data structures in which security credentials are provided. An application programming interface (API) 500 may provide a connection between the user device 300 and the security system 400 .

API 500 includes application software or instructions for execution on one or more network-connected platforms, such as a cloud computing environment. In this specification and in the claims that follow, "cloud computing" refers to configurable computing resources (e.g., networks , servers, storage, applications, and services) is defined as a model that enables ubiquitous, convenient, on-demand network access that enables access to a shared pool of servers, storage, applications, and services, and then scales accordingly. Cloud models may provide or later discover various functions such as on-demand self-service, extensive network access, resource pooling, fast resiliency, measurement services, or any suitable characteristics known primarily among techniques common in the field. The cloud service model may include Service as a Service (SaaS), Service as a Service (PaaS), and Infrastructure as a Service (Iaas). Cloud deployment models may include private cloud, community cloud, public cloud, hybrid cloud, or any suitable service type model currently known of general skill in the above field or discovered later. The databases and servers described for the present invention are included in the cloud model.

API 500 allows other external agents or users to compose the data in identification record 200 for provisioning to user device 300 and identification management device 100. For example, API 500 may provide a data store containing dynamically updated authentication data 206 that may be provided to applications 302 and/or identity management device 100. API 500 may provide authentication data 206 It may provide, verify, or authenticate the certificate data 208 as requested to be provided only to those systems and services to authorize it to receive it.

15 is a flowchart illustrating a method 4000 for authorizing user access to a resource, according to an embodiment. At 4002 , the identification management device 100 may transmit the authentication data 206 , or another part of the selected identification record 200 , to the security system. For example, authentication data 206 may include one or more X.509 public key infrastructures (X.509 public keys) comprising electronic data interchange personal identifier (EDPI) data encrypted based on a personal identification number (PIN). infrastructure (PKI) certificates. In an embodiment, the authentication data 206 may be transmitted over the air by displaying a computer readable image for optical scanning (such as a bar code) or an RF signal generated by the communication interface 110 , the RF output 116 . by the identification management device 100 may be transmitted to the security system.

At 4004 the security system may request the PIN or other encryption key from the user. At 4006, the security system may receive the requested PIN from the user. At 4008 , it can be verified that the PIN matches one of the PKI certificates stored in the authentication data 206 . If the PIN does not match, an error may be generated at 4010. If the PIN matches, at 4012 identifying information such as EDIPI may be extracted. In embodiments, PIN matching may be facilitated by API 500 . For example, API 500 may provide a service that provides a boolean result regarding "match" or "mismatch" given the input PIN and PKI certificate. In other embodiments, API 500 may provide identification or authentication services based on a received PIN, a received PKI certificate, or both. For example, API 500 may provide EDIPI in response to receiving a valid PIN and certificate, or the identified (authentication) user may access a secure resource based on central authentication configuration data stored by API 500. It can provide a decision on whether or not you are authorized to do so.

At 4014 , access to the secure system may be granted based on successful authentication based on authentication data 206 stored in memory 104 (that the user has) and a PIN (known by the user).

It should be understood that the individual steps used in the above methods of the present disclosure may be performed in any order and/or concurrently as long as the above methods are operable. Moreover, it should be understood that the apparatus and methods of the present disclosure may include any number, or all, of the above-described embodiments so long as the disclosure is operable.

Embodiments of the present invention provide numerous advantages over existing methods and techniques for storing and distributing identification material. Embodiments enable storage and management of a library of contact information for both a plurality of personal information or the identity of the user, and further track and manage the contacts the user creates. Embodiments limit the need to hold multiple business cards or carry multiple security credentials. Embodiments improve the quality of interactions between individuals or other entities or agents by reducing the inconvenience that arises as a result of holding tangible identification material, such as a business card. Embodiments further improve the identity sharing and verification system by providing a secure device for storing identification and authentication data.

The identification management device of the present invention provides secure storage, transmission, and display of identity information. Paired communication with a user device allows the user to send identification material as an image to the device and edit or delete existing information. The user device may be a channel through which the identification management device can broadcast information to other devices or applications through the propagation capability of the user device. This allows the identification management function of the device to be extended to alternative or high-power transmission methods and protocols without hardware and software support for this transport mechanism of the device itself.

Embodiments of the present invention may provide a portable device for storing identification and authentication data. The small size of the device allows the identification management device to be carried in a pocket, wallet, or keychain. The device may require less power than other portable electronic devices, such as cell phones, as it may have a low power e-paper display that can use power when further updated. Because embodiments include the ability to broadcast information via separate user devices, embodiments of the present invention may avoid implementation or use of higher energy wireless communication schemes such as WiFi.

Embodiments of the present invention provide security measures to restrict viewing or access to data stored or transmitted only to authorized or authorized agents. Embodiments allow access to be restricted to specific trusted agents or organizations so that the host selection information is only visible to the host selection agent, keeping personal information from the malicious actor's hands and maintaining the security of the information during broadcast or exchange. Provides information security.

Embodiments of the present invention may improve the interactive experience during information exchange and may provide for interactions with databases such as digital rights access and personal account access.

The present embodiment may mitigate the threat of identity theft, fraud, or other criminal activity and negative externalities that may occur as a result of a combination of identification material and malicious actors. For example, malicious actors could use user credentials created prior to said retirement to allow a retired employee to use user credentials created to access resources, such as expired employee credentials that could be an indication of organization-related retirement. identity can be taken. While conventional systems can provide this, if the authentication information for each resource is updated appropriately upon termination, the cost of updating and securing the identification information is in risk, time, resources, and the individual responsible for the update. can be very high for More specifically, this cost can be presented as an example of inefficiencies that arise as a result of no coordination between the transmitter and the receiver. The act of updating business cards and digital rights badges is costly for companies and costly for individuals who use them because prior art does not provide a centralized or electronic means for managing those updates. This problem may arise from the waiting time period for the update.

Embodiments further provide improved technology for transmitting identifying information that must remain secure, such as personally identifiable information (PII) and certificates, such as insurance cards, driver's licenses, passports, or other government-issued identification documents. to provide. Those credentials require strong security measures, and there are significant risks associated with the host for both data transfer and data stored on the device. Accordingly, embodiments provide for encryption of data break and data transmission, with authentication requirements that can vary for each type of identification record.

In embodiments, system 10 and/or components or subsystems thereof may include computing devices, microprocessors, modules, and other computers or computing devices, which may be any programmable device that accepts digital data as input. may be, which is configured to process the input according to an instruction or algorithm and provide a result as an output. In one embodiment, computing and other subject matter devices discussed herein may include or be coupled to a central processing unit (CPU) configured to perform the instructions of a computer program. Computing and other subject matter devices discussed herein are configured to perform basic arithmetic, logic, and input/output operations.

Computing and other devices discussed herein may include memory. Memory may include volatile or non-volatile memory required by the associated computing device or processor to provide space for executing the instruction or algorithm as well as providing the space for storing the instruction itself. In one embodiment, volatile memory may include, for example, random access memory (RAM), dynamic random access memory (DRAM), or static random access memory (SRAM). In one embodiment, non-volatile memory may include, for example, read-only memory, flash memory, ferroelectric RAM, hard disk, floppy disk, magnetic tape, or optical disk storage. The above list does not limit the types of memory that may be used as these embodiments are not intended to limit the scope of the invention, for example, for example.

In one embodiment, the system or component thereof includes or may include various modules or engines, each of which is configured, programmed, configured, or not to autonomously perform its own function or set of functions. As used herein, the term "engine" is implemented in hardware such as, for example, an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA), for example, a combination of hardware and software such as a microprocessor system. or as an actual device, component, or arrangement of components implemented as a combination of hardware and software, such as a microprocessor system and a program instruction set that adapts the engine to implement the specific function. The engine may be implemented with a combination of the two, with specific functions facilitated by hardware alone and other functions facilitated by a combination of hardware and software. In certain implementations, at least in part, and in some cases, hardware that executes the operating system, system programs, and application programs (eg, one or more processors, data storage devices such as memory or drive storage devices, network interface devices, video Multi-tasking, multi-threading, distributed (e.g., clustered, peer-to-peer, , cloud, etc.) to implement the engine. Thus, each engine may be implemented in a variety of physically feasible configurations and is generally not limited to any particular implementation set forth herein, unless such restrictions are explicitly invoked. Also, an engine may itself be composed of one or more sub-engines, each of which may be considered an engine in its own right. Moreover, in the embodiments described herein, the various engines correspond to defined autonomous functions. However, it should be understood that in other contemplated embodiments, each function may be distributed to more than one engine. Likewise, in other contemplated embodiments, a plurality of defined functions may be implemented by a single engine implementing such multiple functions, or a single engine distributed differently or with other functions, other than as specifically described in the examples above. can be implemented by

Various embodiments of systems, apparatus, and methods are described herein. These examples are provided by way of example only and do not limit the scope of the claimed invention. Moreover, it should be appreciated that various features of the described embodiments may be combined in various ways to produce various additional embodiments. Moreover, although various materials, dimensions, shapes, configurations and locations, etc. have been described for use with the disclosed embodiments, others may be utilized without departing from the scope of the disclosed subject matter.

Those of ordinary skill in the art will recognize that the above embodiments may include fewer features than those shown in any individual embodiment described above. The embodiments described herein are not meant to be exhaustive representations of how the various features may be combined. Accordingly, the above embodiments are not mutually exclusive combinations of features. Rather, embodiments include combinations of other individual features selected from other individual embodiments as would be understood by those of ordinary skill in the art. Moreover, elements described with respect to one embodiment may be implemented in other embodiments, even if not described in those embodiments, unless stated otherwise. A dependent claim may refer to a claim for a particular combination with one or more other claims, although other embodiments may further include a combination of one or more features of that combination of dependent claims with other dependent claims or other dependent or independent claims. may include Unless stated that a particular combination is not intended, that combination is suggested herein. Moreover, it is intended to further include features of the claims in any other independent claim even if this claim is not directly executed in accordance with such independent claim.

Moreover, in reference to “one embodiment,” “an embodiment,” or “some embodiments,” a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the disclosure. The appearances of the phrase "one embodiment" in various places in the specification are not necessarily referring to the same embodiment.

Any incorporation by reference to the above documents is limited to the inclusion of technical material contrary to the express disclosure herein. Any incorporation by reference of the above document is further restricted so that the claims contained therein are not incorporated herein by reference. Any incorporation by reference in the above document is further limited such that no definition provided herein is referenced herein unless expressly included herein.

For the purpose of interpreting the claims, it is expressly intended that the provisions of section 112 of the United States Patent Act do not apply unless a "means" for the particular term "or" above is claimed.

Claims (35)

a processor operatively coupled with a memory, display, and communication interface; and
including instructions;
The instructions, when executed by the processor, cause the process to:
a user device interface configured to receive at least one identification record comprising visually delineable identification data from a user interface via the communication interface and store in the memory; and
a user interface configured to update the display to present the visually descriptive identification data;
Identification management device, characterized in that to implement. The apparatus of claim 1 , further comprising at least one user input sensor operatively coupled to the processor. 3. The user interface of claim 2, wherein, upon receiving an indication of user input from the user input sensor, the user interface toggles a display between displaying the identification data in a first user readable format and a second machine readable format. Identification management device, characterized in that it is further provided to toggle. 4. The device of claim 3, wherein the second machine readable format is selected from the group consisting of a one-dimensional barcode, a two-dimensional barcode, and a copy protection hologram. The identification management device according to any one of claims 2, 3 and 4, wherein the at least one user input sensor comprises a push button switch. 5. The apparatus according to any one of claims 2, 3 and 4, wherein the communication interface is arranged to encrypt outgoing communications and decrypt incoming communications. 5. The apparatus of any one of claims 2, 3 and 4, wherein the identification record further comprises an authentication data element. 8. The apparatus of claim 7, wherein the user interface updates the display to present the authentication data element upon receiving an indication of user input from the user input sensor. 8. The apparatus of claim 7, wherein the instruction further causes the processor to further operate an authentication manager to transmit the authentication data element to an external device via the communication interface. 8. The method of claim 7, further comprising a radio frequency generator operatively coupled to the processor;
wherein the instruction causes the processor to operate the authentication manager to generate a radio frequency signal based on the authentication data through the radio frequency generator. The method of any one of claims 1, 2, 3, and 4, wherein the instruction comprises:
sending at least one identification record to a receiving device via the communication interface;
receiving one or more identification records from a transmitting device via the communication interface;
Identification management device, characterized in that to operate the ID sharing interface provided to do so. [Claim 5] The method of any one of claims 1, 2, 3 and 4, wherein the communication interface is a Bluetooth (BLUETOOTH) interface, a Wi-Fi (WI-FI) interface, or Near Field Communications (NFC). An identification management device comprising at least one of the interfaces. 5. The apparatus of any one of claims 1, 2, 3 and 4, wherein the display comprises an electronic paper display. An identification management device according to claim 1 , 2 , 3 or 4 ; and
user device;
the user device comprising at least one user device processor and at least one user device memory, the user device communicatively coupled to a communication interface of the identity management device;
wherein the user device memory is stored to implement a user interface configured to, when the user device processor is executed according to a user device instruction, the user device processor receives identification data from a user and generates an identification record. . 15. The system of claim 14, wherein the user device instructions cause the user device processor to implement an identification management device interface configured to send an identification record to the identification management device. 16. The system of claim 15, wherein the identification management device interface is configured to encrypt the identification record prior to transmission to the identification management device. a processor operatively coupled to a memory, a display, a communication interface, and a user input sensor; and
including instructions;
The instructions, when executed by the processor, cause the processor to:
a user device interface configured to receive at least one identification record comprising visually descriptive identification data from an external identification source via the communication interface and store in the memory; and
updating a display to depict the visually delineable identification data and depicting the identification data between a first user readable format and a second machine readable format upon receiving an indication of user input from the user input sensor. Identification management device, characterized in that it implements a user interface provided to toggle the display. a processor operatively coupled to a memory, a display, a communication interface, a user input sensor, and a radio frequency generator; and
including instructions;
The instructions, when executed by the processor, cause the processor to:
a user device interface configured to receive and store in memory at least one identification record comprising visually delineable identification data from an external identification source via the communication interface;
a user interface configured to update the display to depict the visually delineable identification data; and
and implement an authentication manager configured to generate a radio frequency signal based on authentication data via the radio frequency generator. An identification management method for controlling user access to a secure source, the method comprising:
In the security system, receiving authentication data including a certificate based on the private key from the identification management device;
requesting a private key code from a user by the security system;
receiving the private key code provided from a user;
extracting, by the security system, an identifier of a user from the private key to determine whether the provided private key code matches the private key;
generating an error if it is determined that the provided private key code does not match the private key;
if it is determined that the provided private key code matches the private key, determining whether the user is authorized to access the security system based on the extracted identifier of the user; and
and granting the user access to the security system if the user is authenticated for access to the security system. The method of claim 19, wherein the identification management device,
a processor operatively coupled to a memory, a display, a communication interface, a user input sensor, and a radio frequency generator; and
including instructions;
The instructions, when executed by the processor, cause the processor to:
a user device interface configured to receive and store in memory at least one identification record comprising visually delineable identification data from an external identification source via the communication interface;
a user interface configured to update the display to depict the visually delineable identification data; and
and implement an authentication manager arranged to provide authentication data to the security system. 20. The method of claim 19, wherein the authentication manager is arranged to provide the authentication data to the security system by way of at least one of a wireless signal or a machine readable display of authentication data. 20. The method of claim 19, wherein the provided private key code is a personal identification number. 20. The method of claim 19, wherein the security system is a computing resource. 20. The method of claim 19, wherein the secure system is a physical environment, and granting user access to the secure system comprises allowing the user to access the physical environment. receiving, at a user device, a data element of an identification record comprising visually delineable identification data;
receiving a connection request to an identification management device;
connecting to the identification management device to transmit identification data from the user device to the identification management device; and
and displaying the visually delineable identification data on the identification management device. 26. The method of claim 25,
determining whether the identification management device has previously been paired with a user device; and
and if the identification management device has not previously been paired to the user device, requesting approval from the user to pair the identification management device to the user device. receiving, from a first user of the first identification management device, a selection of an identification record stored in a memory of the identification management device;
receiving, at the first identification management device, an instruction to transmit the identification record from the first user;
receiving, from a second user of a second identification management device, an instruction to receive an identification record;
sending at least a portion of the identification record from the first identification management device to a second identification management device; and
and storing, in the second identification management device, at least a portion of the identification record in a memory of the second identification management device. 28. The method of claim 27, wherein at least a portion of the identification record includes public display data of the identification record. 28. The method of claim 27, wherein at least a portion of the identification record does not include personal authentication data of the identification record. 28. The method of claim 27,
receiving, at a user device associated with the second user, a request to synchronize with the second identity management device; and
and transmitting the at least a portion of the identification data from the second identification management device to the user device. receiving, at the first identification management device, a selection of an identification record stored in a memory of the identification management device from the first user;
receiving, at the first identification management device, an instruction to transmit identification data from the first user;
receiving, at a first user device associated with the first user, a request to broadcast the identification record;
receiving, at one or more other user devices, a notification of available identification data; and
and receiving, at at least one of the one or more user devices, an identification record. 32. The method of claim 31, further comprising, prior to receiving the identification record, requesting authorization associated with each of the one or more user devices to receive the identification record. 32. The method of claim 31, further comprising transmitting identification data from the first user device to one or more other user devices via a direct wireless connection. 32. The method of claim 31,
transmitting the identification data from the first user device to an identification management system; and
and transmitting, by the identification management system, identification data to each of the one or more other user devices. The apparatus according to any one of claims 27 to 34, wherein the identification management device comprises:
a processor operatively coupled with a memory, a display, and a communication interface; and
instructions; including;
The instructions, when executed by the processor, cause the processor to:
a user device interface configured to receive at least one identification record comprising visually descriptive identification data from an external identification source via the communication interface and store in the memory;
a user interface configured to update a display to depict the visually delineable identification data;
Identification management method, characterized in that provided to implement the.

Images